first commit

2024-09-17 16:50:13 +02:00 · 2024-09-17 16:50:13 +02:00 · 9218e1f02e
commit 9218e1f02e
7 changed files with 353 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -0,0 +1,38 @@
+Role Name
+=========
+
+A brief description of the role goes here.
+
+Requirements
+------------
+
+Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+
+Role Variables
+--------------
+
+A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+
+Dependencies
+------------
+
+A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+    - hosts: servers
+      roles:
+         - { role: username.rolename, x: 42 }
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+An optional section for the role authors to include contact information, or a website (HTML is not allowed).
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -0,0 +1,36 @@
+---
+# defaults file for unattended-upgrades
+#### auto-upgrades settings ####
+update_package_lists: 1
+unattended_upgrade: 1
+download_upgradeable_packages: 1
+auto_clean_interval: 7
+
+#### unattended-upgrades settings ####
+origin_pattern:
+  - origin=Debian,codename=${distro_codename}-updates
+  - origin=Debian,codename=${distro_codename}-proposed-updates
+  - origin=Debian,codename=${distro_codename},label=Debian
+  - origin=Debian,codename=${distro_codename},label=Debian-Security
+  - origin=Debian,codename=${distro_codename}-security,label=Debian-Security
+  - origin=Docker,archive=${distro_codename},component=stable,label=Docker CE
+# package_blacklist:
+auto_fix_interrupted_dpkg: true
+minimal_steps: true
+install_on_shutdown: false
+# mail:
+# mail_report: only-on-error
+remove_unused_kernel_packages: true
+remove_new_unused_dependencies: true
+remove_unused_dependencies: true
+automatic_reboot: true
+automatic_reboot_with_users: false
+automatic_reboot_time: 04:00
+# dl_limit: 70
+syslog_enable: false
+only_on_acpower: false
+skip_updates_on_metered_connections: false
+verbose: false
+debug: false
+allow_downgrade: false
+allow_apt_mark_fallback: false
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -0,0 +1,2 @@
+---
+# handlers file for unattended_upgrades.role
--- a/meta/main.yml
+++ b/meta/main.yml
@ -0,0 +1,34 @@
+galaxy_info:
+  author: your name
+  description: your role description
+  company: your company (optional)
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+
+  min_ansible_version: 2.1
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -0,0 +1,34 @@
+---
+# tasks file for unattended-upgrades
+- name: Install unattended-upgrades
+  ansible.builtin.package:
+    name: unattended-upgrades
+    state: present
+
+- name: Configure deb
+  ansible.builtin.debconf:
+    name: unattended-upgrades
+    question: unattended-upgrades/enable_auto_updates
+    vtype: boolean
+    value: 'true'
+
+- name: Generate 20auto-upgrades file
+  ansible.builtin.command:
+    cmd: dpkg-reconfigure -f noninteractive unattended-upgrades
+    creates: /etc/apt/apt.conf.d/20auto-upgrades
+
+- name: Configure auto-upgrades
+  ansible.builtin.template:
+    src: templates/auto-upgrades.j2
+    dest: /etc/apt/apt.conf.d/20auto-upgrades
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Configure unattended-upgrades
+  ansible.builtin.template:
+    src: templates/unattended-upgrades.j2
+    dest: /etc/apt/apt.conf.d/50unattended-upgrades
+    owner: root
+    group: root
+    mode: '0644'
--- a/templates/auto-upgrades.j2
+++ b/templates/auto-upgrades.j2
@ -0,0 +1,18 @@
+#jinja2: lstrip_blocks: True
+# {{ ansible_managed }}
+
+{% if update_package_lists is defined %}
+APT::Periodic::Update-Package-Lists "{{ update_package_lists }}";
+{% endif %}
+
+{% if unattended_upgrade is defined %}
+APT::Periodic::Unattended-Upgrade "{{ unattended_upgrade }}";
+{% endif %}
+
+{% if download_upgradeable_packages is defined %}
+APT::Periodic::Download-Upgradeable-Packages "{{ download_upgradeable_packages }}";
+{% endif %}
+
+{% if auto_clean_interval is defined %}
+APT::Periodic::AutocleanInterval "{{ auto_clean_interval }}";
+{% endif %}
--- a/templates/unattended-upgrades.j2
+++ b/templates/unattended-upgrades.j2
@ -0,0 +1,191 @@
+#jinja2: lstrip_blocks: True
+# {{ ansible_managed }}
+
+{% if origin_pattern is defined %}
+// Unattended-Upgrade::Origins-Pattern controls which packages are
+// upgraded.
+//
+// Lines below have the format "keyword=value,...".  A
+// package will be upgraded only if the values in its metadata match
+// all the supplied keywords in a line.  (In other words, omitted
+// keywords are wild cards.) The keywords originate from the Release
+// file, but several aliases are accepted.  The accepted keywords are:
+//   a,archive,suite (eg, "stable")
+//   c,component     (eg, "main", "contrib", "non-free")
+//   l,label         (eg, "Debian", "Debian-Security")
+//   o,origin        (eg, "Debian", "Unofficial Multimedia Packages")
+//   n,codename      (eg, "jessie", "jessie-updates")
+//     site          (eg, "http.debian.net")
+// The available values on the system are printed by the command
+// "apt-cache policy", and can be debugged by running
+// "unattended-upgrades -d" and looking at the log file.
+//
+// Within lines unattended-upgrades allows 2 macros whose values are
+// derived from /etc/debian_version:
+//   ${distro_id}            Installed origin.
+//   ${distro_codename}      Installed codename (eg, "buster")
+Unattended-Upgrade::Origins-Pattern {
+        // Codename based matching:
+        // This will follow the migration of a release through different
+        // archives (e.g. from testing to stable and later oldstable).
+        // Software will be the latest available for the named release,
+        // but the Debian release itself will not be automatically upgraded.
+{% for pattern in origin_pattern %}
+        "{{ pattern }}";
+{% endfor %}
+        // Archive or Suite based matching:
+        // Note that this will silently match a different release after
+        // migration to the specified archive (e.g. testing becomes the
+        // new stable).
+//      "o=Debian,a=stable";
+//      "o=Debian,a=stable-updates";
+//      "o=Debian,a=proposed-updates";
+//      "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports";
+};
+{% endif %}
+
+{% if package_blacklist is defined %}
+// Python regular expressions, matching packages to exclude from upgrading
+Unattended-Upgrade::Package-Blacklist {
+{% for package in package_blacklist %}
+      "{{ package }}";
+{% endfor %}
+};
+{% endif %}
+
+{% if not auto_fix_interrupted_dpkg %}
+// This option allows you to control if on a unclean dpkg exit
+// unattended-upgrades will automatically run 
+//   dpkg --force-confold --configure -a
+// The default is true, to ensure updates keep getting installed
+Unattended-Upgrade::AutoFixInterruptedDpkg "false";
+{% endif %}
+
+{% if minimal_steps %}
+// Split the upgrade into the smallest possible chunks so that
+// they can be interrupted with SIGTERM. This makes the upgrade
+// a bit slower but it has the benefit that shutdown while a upgrade
+// is running is possible (with a small delay)
+Unattended-Upgrade::MinimalSteps "true";
+{% endif %}
+
+{% if install_on_shutdown %}
+// Install all updates when the machine is shutting down
+// instead of doing it in the background while the machine is running.
+// This will (obviously) make shutdown slower.
+// Unattended-upgrades increases logind's InhibitDelayMaxSec to 30s.
+// This allows more time for unattended-upgrades to shut down gracefully
+// or even install a few packages in InstallOnShutdown mode, but is still a
+// big step back from the 30 minutes allowed for InstallOnShutdown previously.
+// Users enabling InstallOnShutdown mode are advised to increase
+// InhibitDelayMaxSec even further, possibly to 30 minutes.
+Unattended-Upgrade::InstallOnShutdown "true";
+{% endif %}
+
+{% if mail is defined %}
+// Send email to this address for problems or packages upgrades
+// If empty or unset then no email is sent, make sure that you
+// have a working mail setup on your system. A package that provides
+// 'mailx' must be installed. E.g. "user@example.com"
+//Unattended-Upgrade::Mail "{{ mail }}";
+{% endif %}
+
+{% if mail_report is defined %}
+// Set this value to one of:
+//    "always", "only-on-error" or "on-change"
+// If this is not set, then any legacy MailOnlyOnError (boolean) value
+// is used to chose between "only-on-error" and "on-change"
+Unattended-Upgrade::MailReport "{{ mail_report }}";
+{% endif %}
+
+{% if remove_unused_kernel_packages %}
+// Remove unused automatically installed kernel-related packages
+// (kernel images, kernel headers and kernel version locked tools).
+Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
+{% endif %}
+
+{% if remove_new_unused_dependencies %}
+// Do automatic removal of newly unused dependencies after the upgrade
+Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
+{% endif %}
+
+{% if remove_unused_dependencies %}
+// Do automatic removal of unused packages after the upgrade
+// (equivalent to apt-get autoremove)
+Unattended-Upgrade::Remove-Unused-Dependencies "true";
+{% endif %}
+
+{% if automatic_reboot %}
+// Automatically reboot *WITHOUT CONFIRMATION* if
+//  the file /var/run/reboot-required is found after the upgrade
+Unattended-Upgrade::Automatic-Reboot "true";
+{% endif %}
+
+{% if automatic_reboot_with_users %}
+// Automatically reboot even if there are users currently logged in
+// when Unattended-Upgrade::Automatic-Reboot is set to true
+Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
+{% endif %}
+
+{% if automatic_reboot_time is defined %}
+// If automatic reboot is enabled and needed, reboot at the specific
+// time instead of immediately
+//  Default: "now"
+Unattended-Upgrade::Automatic-Reboot-Time "{{ automatic_reboot_time }}";
+{% endif %}
+
+{% if dl_limit is defined %}
+// Use apt bandwidth limit feature, this example limits the download
+// speed to 70kb/sec
+Acquire::http::Dl-Limit "{{ dl_limit }}";
+{% endif %}
+
+{% if syslog_enable %}
+// Enable logging to syslog. Default is False
+Unattended-Upgrade::SyslogEnable "true";
+
+// Specify syslog facility. Default is daemon
+Unattended-Upgrade::SyslogFacility "daemon";
+{% endif %}
+
+{% if only_on_acpower %}
+// Download and install upgrades only on AC power
+// (i.e. skip or gracefully stop updates on battery)
+Unattended-Upgrade::OnlyOnACPower "true";
+{% endif %}
+
+{% if skip_updates_on_metered_connections %}
+// Download and install upgrades only on non-metered connection
+// (i.e. skip or gracefully stop updates on a metered connection)
+Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true";
+{% endif %}
+
+{% if verbose %}
+// Verbose logging
+Unattended-Upgrade::Verbose "true";
+{% endif %}
+
+{% if debug %}
+// Print debugging information both in unattended-upgrades and
+// in unattended-upgrade-shutdown
+Unattended-Upgrade::Debug "true";
+{% endif %}
+
+{% if allow_downgrade %}
+// Allow package downgrade if Pin-Priority exceeds 1000
+Unattended-Upgrade::Allow-downgrade "true";
+{% endif %}
+
+{% if allow_apt_mark_fallback %}
+// When APT fails to mark a package to be upgraded or installed try adjusting
+// candidates of related packages to help APT's resolver in finding a solution
+// where the package can be upgraded or installed.
+// This is a workaround until APT's resolver is fixed to always find a
+// solution if it exists. (See Debian bug #711128.)
+// The fallback is enabled by default, except on Debian's sid release because
+// uninstallable packages are frequent there.
+// Disabling the fallback speeds up unattended-upgrades when there are
+// uninstallable packages at the expense of rarely keeping back packages which
+// could be upgraded or installed.
+Unattended-Upgrade::Allow-APT-Mark-Fallback "true";
+{% endif %}